“Working together is power. Addressing these challenges will
determine the effectiveness of cybersecurity teams to automate detection
and orchestrate responses, and ultimately tip the cybersecurity balance
in favor of defenders.”

“The security industry faces critical challenges in our efforts to share
threat intelligence between entities, among vendor solutions, and even
within vendor portfolios,” said Vincent Weafer, Vice President of McAfee
Labs. “Working together is power. Addressing these challenges will
determine the effectiveness of cybersecurity teams to automate detection
and orchestrate responses, and ultimately tip the cybersecurity balance
in favor of defenders.”

The report reviews the background and drivers of threat intelligence
sharing; various threat intelligence components, sources, and sharing
models; how mature security operations can use shared data; and critical
sharing challenges that the industry must overcome. Those challenges
include:

Volume. A massive signal-to-noise problem continues to plague
defenders trying to triage, process, and act on the highest-priority
security incidents.

Validation. Attackers may file false threat reports to mislead
or overwhelm threat intelligence systems, and data from legitimate
sources can be tampered with if poorly handled.

Quality. If vendors focus just on gathering and sharing more
threat data, there is a risk that much of it will be duplicative,
wasting valuable time and effort. Sensors must capture richer data to
help identify key structural elements of persistent attacks.

Speed. Intelligence received too late to prevent an attack is
still valuable, but only for the cleanup process. Security sensors and
systems must share threat intelligence in near real time to match
attack speeds.

Correlation. The failure to identify relevant patterns and key
data points in threat data makes it impossible to turn data into
intelligence and then into knowledge that can inform and direct
security operations teams.

To move threat intelligence sharing to the next level of efficiency and
effectiveness, McAfee Labs suggests focusing on three areas:

Connecting the dots. Establish relationships between indicators
of compromise so that threat hunters can understand their connections
to attack campaigns.

Better sharing models. Improve ways to share threat
intelligence between our own products and with other vendors.

“Increasingly sophisticated attackers are evading discrete defense
systems, and siloed systems let in threats that have been stopped
elsewhere because they do not share information,” Weafer continued.
“Threat intelligence sharing enables us to learn from each other’s
experiences, gaining insight based on multiple attributes that build a
more complete picture of the context of cyber events.”

Mirai Botnet Proliferation

Mirai was responsible for the fourth quarter’s highly publicized DDoS
attack on Dyn, a major DNS service provider. Mirai is notable because it
detects and infects poorly secured IoT devices, transforming them into
bots to attack its targets.

The October public release of the Mirai source code led to a
proliferation of derivative bots, although most appear to be driven by
script kiddies and are relatively limited in their impact. But the
source code release has also led to offerings of “DDoS-as-a-service”
based on Mirai, making it simple for unsophisticated yet willing
attackers to execute DDoS attacks that leverage other poorly secured IoT
devices. Mirai botnet-based DDoS attacks are available as a service in
the cybercriminal marketplace for $50 to $7,500 per day.

McAfee Labs estimates that 2.5 million Internet of Things (IoT) devices
were infected by Mirai by the end of Q4 2016, with about five IoT device
IP addresses added to Mirai botnets each minute at that time.

For more on the Mirai botnet, please see our blog
and video
on the topic.

Malware growth. The number of new malware samples slowed 17% in
Q4, while the overall count grew 24% in 2016 to 638 million samples.

Mobile malware. The number of new mobile malware samples
declined 17% in Q4, while total mobile malware grew 99% in 2016.

Ransomware growth. The number of new ransomware samples dropped
71% in Q4, mostly due to a drop in generic ransomware detections, as
well as a decrease in the activity of the Locky and CryptoWall
strains. The number of total ransomware samples grew 88% in 2016.

Mac OS malware. Although still small compared to Windows
threats, the number of new Mac OS malware samples grew 245% in Q4 due
to adware bundling. Total Mac OS malware grew 744% in 2016.

Spam botnets. Spam email messages from the top 10 botnets
dropped 24% in Q4 to 181 million emails. They generated 934 million
spam messages in 2016 overall.

Reported security incidents. McAfee counted 197
publicly-disclosed security incidents in Q4 and 974 publicly-disclosed
security incidents in 2016. Security incidents are events that
compromise the integrity, confidentiality, or availability of
information assets. Some, but not all, of these incidents are
breaches. Breaches are incidents that result in the confirmed
disclosure (not just potential exposure) of data.

Public sector cyber-attacks. The public sector experienced the
greatest number of incidents by far, but McAfee believes this may be
the result of stricter requirements for reporting incidents, as well
as an increase in attacks related to the U.S. election process, mostly
voter database incidents and defacing of election websites.

Banking and gaming attacks. A Q3 jump in incidents in the
software development sector was due to the rise in attacks on gaming
platforms. In the finance sector, the SWIFT attacks on the banking
sector led to a Q2 jump in incidents.

Botnet activity. The KelihosC botnet, a recent purveyor of
phony pharmaceuticals and Russian automotive supplies (such as “winter
and summer tires at competitive prices”), increased its overall volume
during Q4.

For more information on these trends, or more threat landscape
statistics for Q4 2016, visit www.mcafee.com
for the full
report.

For guidance on how organizations can better protect their enterprises
from the threats detailed in this quarter’s report, visit Enterprise
Blog.

About McAfee Labs

McAfee Labs is one of the world’s leading sources for threat research,
threat intelligence, and cybersecurity thought leadership. With data
from millions of sensors across key threats vectors—file, web, and
network—McAfee Labs delivers real-time threat intelligence, critical
analysis, and expert thinking to improve protection and reduce risks.
McAfee Labs also develops core threat detection technologies that are
incorporated into the broadest security product portfolio in the
industry.

About McAfee

McAfee is one of the world’s leading independent cybersecurity
companies. Inspired by the power of working together, McAfee creates
business and consumer solutions that make the world a safer place. www.mcafee.com

McAfee and the McAfee logo are trademarks of McAfee LLC in the United
States and other countries.